Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert to permissive for coreos-installer & bootupd #2257

Open
wants to merge 2 commits into
base: rawhide
Choose a base branch
from
Open

Revert to permissive for coreos-installer & bootupd #2257

wants to merge 2 commits into from

Conversation

travier
Copy link
Contributor

@travier travier commented Jul 23, 2024
edited
Loading

Temporarily revert to permissive for those domains so that we have time to fix the issues that we missed earlier.

Revert "Remove permissive domain for bootupd_t"

This reverts commit 0cbc7da.

Revert "Remove permissive domain for coreos_installer_t"

This reverts commit cd99e90.

@travier travier mentioned this pull request Jul 23, 2024
Closed
@HuijingHei
Copy link

HuijingHei commented Jul 31, 2024
edited
Loading

I have no objection for this, maybe should exclude afterburn as the issue https://bugzilla.redhat.com/show_bug.cgi?id=2254975 was already fixed, and there is no new bug for it.

But there are existing bugs for bootupd and coreos-installer:

@travier travier changed the title Revert to permissive for afterburn, coreos-installer & bootupd Revert to permissive for coreos-installer & bootupd Jul 31, 2024
HuijingHei
HuijingHei approved these changes Aug 1, 2024
View reviewed changes
Copy link

@HuijingHei HuijingHei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@travier travier mentioned this pull request Aug 21, 2024
Open
@cgwalters
Copy link
Contributor

For the record I still generally don't think it's a valuable effort to confine bootupd or coreos-installer.

@jlebon
Copy link
Contributor

jlebon commented Aug 28, 2024

@zpytela Can you take a look at this? Otherwise, we'll likely have to set them back to permissive downstream in the CoreOS configs until the associated bugs are fixed.

(Note also since this bug was opened, branching happened, so this needs to be fixed in both rawhide and f41.)

@jlebon
Copy link
Contributor

jlebon commented Aug 28, 2024

For coreos-installer, https://bugzilla.redhat.com/show_bug.cgi?id=2305385 is the one for Fedora.

marmijo added a commit to marmijo/fedora-coreos-config that referenced this pull request Aug 29, 2024
@marmijo
manifests/fedora-coreos: add SELinux workaround
3eae222 
Recent changes in the SELinux policy have broken a lot of our code.
Revert the affected domains back to permissive mode until
fedora-selinux/selinux-policy#2257 merges
and the domains are reverted back to permissive mode upstream.

bootupd_t: https://bugzilla.redhat.com/show_bug.cgi?id=2300306

coreos_installer_t: https://bugzilla.redhat.com/show_bug.cgi?id=2305385
marmijo added a commit to marmijo/fedora-coreos-config that referenced this pull request Aug 29, 2024
@marmijo
manifests/fedora-coreos: add SELinux workaround
f5585db 
Recent changes in the SELinux policy have broken a lot of our code.
Revert the affected domains back to permissive mode until
fedora-selinux/selinux-policy#2257 merges
and the domains are reverted back to permissive mode upstream.

bootupd_t: https://bugzilla.redhat.com/show_bug.cgi?id=2300306

coreos_installer_t: https://bugzilla.redhat.com/show_bug.cgi?id=2305385
@marmijo marmijo mentioned this pull request Aug 29, 2024
Merged
@travier
Copy link
Contributor Author

travier commented Aug 29, 2024

For the record I still generally don't think it's a valuable effort to confine bootupd or coreos-installer.

I agree as well that we should not confine those tools. I tried to argue that in:

@zpytela Could you point us to the exact rule mentioned in #2145 (comment) so that we could explain why this does not apply here / is not needed?

@travier
Copy link
Contributor Author

travier commented Sep 3, 2024

#2336 should help with bootupd, but we still have coreos/fedora-coreos-tracker#1771 blocking us on Fedora CoreOS so we still might need to make it permissive for F41.

marmijo added a commit to marmijo/fedora-coreos-config that referenced this pull request Sep 3, 2024
@marmijo
manifests: add selinux-workaround.yaml for >= F41
d4d70cc 
Recent changes in the SELinux policy have broken a lot of our code.
Revert the affected domains back to permissive mode so we can
continue to build and test `releasever >= 41` until
fedora-selinux/selinux-policy#2257 merges
and the domains are reverted upstream or until the issue is resolved
altogether.
marmijo added a commit to marmijo/fedora-coreos-config that referenced this pull request Sep 3, 2024
@marmijo
manifests: add selinux-workaround.yaml for >= F41
1e43d1c 
Recent changes in the SELinux policy have broken a lot of our code.
Revert the affected domains back to permissive mode so we can
continue to build and test `releasever >= 41` until
fedora-selinux/selinux-policy#2257 merges
and the domains are reverted upstream or until the issue is resolved
altogether.

Add the workaround for `afterburn_t` as well so we can unblock
coreos/fedora-coreos-tracker#1784
marmijo added a commit to marmijo/fedora-coreos-config that referenced this pull request Sep 3, 2024
@marmijo
manifests: add selinux-workaround.yaml for >= F41
03d42bc 
Recent changes in the SELinux policy have broken a lot of our code.
Revert the affected domains back to permissive mode so we can
continue to build and test `releasever >= 41` until
fedora-selinux/selinux-policy#2257 merges
and the domains are reverted upstream or until the issue is resolved
altogether.

Add the workaround for `afterburn_t` as well so we can unblock
coreos/fedora-coreos-tracker#1784
marmijo added a commit to coreos/fedora-coreos-config that referenced this pull request Sep 4, 2024
@marmijo
manifests: add selinux-workaround.yaml for >= F41
40e9f23 
Recent changes in the SELinux policy have broken a lot of our code.
Revert the affected domains back to permissive mode so we can
continue to build and test `releasever >= 41` until
fedora-selinux/selinux-policy#2257 merges
and the domains are reverted upstream or until the issue is resolved
altogether.

Add the workaround for `afterburn_t` as well so we can unblock
coreos/fedora-coreos-tracker#1784
@zpytela
Copy link
Contributor

zpytela commented Sep 4, 2024

The coreos installer generators are permissive since 2024-07-15, can I see some fresh report?

@dustymabe
Copy link
Contributor

The coreos installer generators are permissive since 2024-07-15, can I see some fresh report?

https://bugzilla.redhat.com/show_bug.cgi?id=2305385#c6

@travier
Copy link
Contributor Author

travier commented Nov 4, 2024

We turned bootupd_t back to permissive for all Atomic Desktops (https://pagure.io/workstation-ostree-config/blob/main/f/bootupd.yaml#_34) until we can get #2362 fixed.

We had to do it for Fedora CoreOS as well: https://github.com/coreos/fedora-coreos-config/blob/testing-devel/manifests/selinux-workaround.yaml

It would be good to merge this one here until we get all the issues resolved again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HuijingHei HuijingHei HuijingHei approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@travier @HuijingHei @cgwalters @jlebon @zpytela @dustymabe